They probably aren't the only ones who have figured it out, as the recent Anti-Sec people are making very clear. Making it public forces it to get fixed so that nobody can use it, instead of only the Russian Business Network being able to use it.
This is a defect in the product which could substantially harm the users of the product. The people who know about the defect have a moral obligation to inform the people who are at risk, and to give those people adequate information to verify that the defect really exists.
It's also worth noting that Apple has imposed technical measures which attempt to prevent iPhone users from correcting this defect on their own iPhones, even if they know where it is. I think they also claim that copyright law prohibits those users from correcting the defect. Under these circumstances, Apple and the attacker ought to be jointly liable for any damages caused by an attacker exploiting the flaw.
This is a defect in the product which could substantially harm the users of the product. The people who know about the defect have a moral obligation to inform the people who are at risk, and to give those people adequate information to verify that the defect really exists.
It's also worth noting that Apple has imposed technical measures which attempt to prevent iPhone users from correcting this defect on their own iPhones, even if they know where it is. I think they also claim that copyright law prohibits those users from correcting the defect. Under these circumstances, Apple and the attacker ought to be jointly liable for any damages caused by an attacker exploiting the flaw.